Monday, May 1, 2017

For Users of Redis, Running Locally Can Be a Major Security Risk

If you are running Redis locally and, like most people as of this writing, you're using a version older than 3.2.7 (released January 31, 2017), I can most likely copy your entire database, drop an ssh key in your authorized_keys file, overwrite arbitrary files on your computer, and lay a trap that will run arbitrary code next time you open your terminal.
All this can be executed from visiting a malicious web site; or a non-malicious site that's had malicious JavaScript loaded onto it.

Background

I read "How to steal any developer's local database" a while back on Hacker News, and thought it might be a fun project to try out with BugReplay. In the process I’ve learned how powerful DNS rebinding can be as a method of attack and the kind of damage that can be done. This article is an attempt to build on previous works and demonstrate the techniques involved.
When you look at typical authorization mechanisms,

Thursday, February 23, 2017

Introducing Feedback by BugReplay- A Customer Support Tool


Instead of relying on your users to explain what went wrong, wouldn’t it be easier if you could SEE for yourself?


We’re excited to announce that Feedback by BugReplay (“Feedback”) is now in private beta. With Feedback, you can offer your customers can record the problem they encountered on your website and you’ll receive a detailed report that will help you fix the problem faster. Our browser extension creates a synchronized recording of user actions, network traffic & JavaScript logs.